Mental & Behavioral Health
Practice Update from the National Association of Social Workers
What Social Workers Should Know about the HIPAA Privacy Regulations
What Social Workers Should Know about the HIPAA Privacy Regulations
This practice update is a starting point for discussion and guidance for social workers on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations and compliance. Given the complexity of the HIPAA privacy regulations and the possibility of modifications, we anticipate future updates that will provide additional information and guidance on specific components of the regulations and any further modifications. NASW recommends that you review this guideline carefully, to determine whether you meet the definition of a "covered entity" under the HIPAA privacy regulations and are subject to complying with the regulations.
The primacy of client privacy and confidentiality has long been a tenet of the social work profession. The nature of our work with clients and our sensitivity to the stigma that often accompanies mental illness and substance abuse issues guides our position. The U.S. Congress recognized the importance of privacy of medical records when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted during the Clinton administration.
HIPAA authorized Congress to establish uniform privacy standards for health information that is electronically transmitted . Under this law, Congress was required to pass comprehensive health privacy legislation by August 21, 1999 . Congress failed to accomplish this task and thus, responsibility for issuing privacy regulations was transferred to the Secretary of Health and Human Services (HHS) as mandated by HIPAA. In accordance, HHS issued proposed regulations on October 29, 1999 , and allowed for an extended comment period. More than 52,000 comments were received in response to these regulations, including extensive comments submitted by the National Association of Social Workers and individual social workers. The final privacy regulations were issued by HHS just before the completion of President Clinton's term; however, on February 26, 2001 , the Bush Administration reopened the comment period for an additional 30 days. On April 12, 2001 , President Bush announced that the privacy regulations, without changes, would take effect on April 14, 2001 .
WHAT DO THE NEW PRIVACY REGULATIONS SEEK TO DO?
The privacy regulations establish that personal health information must be kept confidential. The regulations are designed to safeguard the privacy and confidentiality of a consumer's health information, especially in this age of rapid advances in technology and the subsequent ease with which information can be transmitted. The regulations establish a baseline of patient/client protections by defining the rights of individuals, the administrative obligations of covered entities, and the permitted uses and disclosures of protected health information. State laws that are stronger (that is, provide a greater degree of privacy protection) will continue to stand. In addition, states have the liberty to enact stronger protections in the future.
"Covered entities" have until April 14, 2003 , to implement the HIPAA privacy regulations and come into compliance. Under the regulations, failure to comply can result in civil and criminal penalties for covered entities; however, clients were not accorded the right to sue for violations of the regulation. The controversy and debate over the current regulations have not been put to rest. Recent comments by President Bush and HHS Secretary Tommy Thompson indicate plans to "soften" the regulations and to revisit some of the more controversial components over the next two years. Nevertheless, the clock has started on the two-year window for compliance, and thus health care providers need to determine now whether they meet the definition of a covered entity and what modifications they must make to be in compliance by April 14, 2003 .
Who or what is a "covered entity" under the new regulations?
Note: Although many social workers currently do not transmit health claimsâ€“type information electronically, thus not meeting the definition of a covered entity, it is likely that over the next few years, this will become a standard and expected industry practice. NASW advises members to consider this as they review their status as a covered entity.
The HIPAA regulations require that covered entities maintain contracts with their business associates that essentially bind the business associates to the same privacy practices of the covered entities. Business associates are defined as individuals who receive health information from a covered entity or on behalf of a covered entity. Examples include a copy center, a contracted phone answering service, an accountant reviewing books, auditors, quality assurance/utilization review services, or other contracted services that might interact with protected health information.
What information is protected by the privacy regulations? [Protected Health Information]
Protected health information includes information
Note : All medical records or other individually identifiable health information held or disclosed by a covered entity in any form (electronically, on paper, or orally) are covered by the final regulation.
How is this information protected?
Protected health information may not be disclosed by a covered entity without the informed and voluntary written consent or authorization of the client. A covered entity is required to obtain a client's consent for use or disclosure of client information for purposes of health care treatment, payment, and operations. Disclosure must be limited to the minimum amount necessary for the purposes of disclosure, with the exception of transferring records for treatment, when providers need access to the full record to ensure quality care. A client's authorization is required for any other type of disclosure.
Health care providers may condition treatment on obtaining client consent of protected health information for the purposes of treatment, payment, and health care operations. Similarly, health plans and health care clearinghouses also may condition enrollment on the client's provision of a consent to disclose protected health information for the purposes of treatment, payment, and health care operations.
What are the client's rights under these new regulations?
Administrative Requirement for Covered Entities
Covered entities are required to:
Are there circumstances under which protected health information may be disclosed without a client's consent or authorization?
Yes. There are a number of exceptions under the HIPAA regulations that allow for disclosure of client's protected health information without client consent or authorization. Note, however, that state law requirements may differ or be more protective of the client's protected health information. Some permitted HIPAA disclosures are
The HIPAA regulations are "permissive," which means that these are the circumstances under the regulations in which health care providers are permitted to disclose protected health information without client consent or authorization. However, other laws (such as state privacy and confidentiality regulations) or a professional code of ethics may require providers to proceed in a different manner. Social workers are expected to adhere to their professional code of ethics when determining whether it is necessary or appropriate to make these permitted HIPAA disclosures.
Do the same requirements apply to mental health records and to medical records?
In general, yes; however,
How are psychotherapy notes defined?
Are there circumstances under which psychotherapy notes may be disclosed under HIPAA without the client's consent or authorization?
Yes. "Psychotherapy notes may be disclosed without consent or authorization:
Unlike other health records, psychotherapy notes are not subject to disclosure to individuals." (Litwak, Behavioral Healthcare Tomorrow, April 2001).
Questions and Guidance
Questions about interpretation or application of the regulations can be addressed to HHS directly by calling 1-866-627-7748, 1-866-788-4989 (TTY) or submitting an email to: email@example.com .
Questions about state law (such as whether a state privacy law is more protective than the federal regulation) should be addressed to the Attorney General for the state in question. Contact information for the State Attorney General's office is available online at: www.cslib.org/attygenl/mainlinks/tabindex9.htm .
On July 6, 2001 , HHS Secretary Thompson issued the first guidance document for the HIPAA Privacy Regulations. This document is the first of several guidance documents that HHS will issue in order to clarify the Privacy Regulations, assist with implementation and address any modifications. This document can be accessed at the HHS Office for Civil Rights web site at www.hhs.gov/ocr/hipaa/ under the heading "Technical Assistance".
References & Reading
Nancy Bateman, LCSW-C, CAC